Don't send Authorization header when it's not needed

CORS specification specifies "simple request", which does not need a preflight OPTIONS request. The only thing, which we send and is forbidding to send simple requests is Authorization header, which is not needed for public endpoints.
2013-05-02 17:59:41 +02:00 · 2013-05-02 17:59:41 +02:00 · 595393f273
commit 595393f273
parent 924b20d12e
1 changed files with 12 additions and 1 deletions
--- a/assets/scripts/lib/travis/ajax.coffee
+++ b/assets/scripts/lib/travis/ajax.coffee
@ -1,6 +1,8 @@
 jQuery.support.cors = true

 Travis.ajax = Em.Object.create
+  publicEndpoints: [/\/repos\/?.*/, /\/builds\/?.*/, /\/jobs\/?.*/]
+
  DEFAULT_OPTIONS:
    accepts:
      json: 'application/vnd.travis-ci.2+json'
@ -11,12 +13,21 @@ Travis.ajax = Em.Object.create
  post: (url, data, callback) ->
    @ajax(url, 'post', data: data, success: callback)

+  needsAuth: (method, url) ->
+    return false if method != 'GET'
+
+    result = @publicEndpoints.find (pattern) ->
+      url.match(pattern)
+
+    !result
+
  ajax: (url, method, options) ->
    method = method.toUpperCase()
    endpoint = Travis.config.api_endpoint || ''
    options = options || {}

-    if token = Travis.sessionStorage.getItem('travis.token')
+    token = Travis.sessionStorage.getItem('travis.token')
+    if token && Travis.ajax.needsAuth(method, url)
      options.headers ||= {}
      options.headers['Authorization'] ||= "token #{token}"